I want to log in the user after he registrered.
So, you login in a form with POST method. Now i was thinking about doing it this way:
header("index.php?doLogin=Login&user_email=$usr_email&pass=$data[pwd]");
But then, when you login its POST and not GET,
// Log in
if (isset($_POST['doLogin']) && $_POST['doLogin'] == 'Login')...
So what do I do? Another idea doing this maybe?
When user logging in you check the user credentials against DB then save state to session, right?
Just do that after user register, no need to send user to some page. Just do it on the same file, the registration takes place.
Its not really good to send the password over the URL. Send it over POST. Do you set a SESSION variable in your Login functions?
When you set the SESSION variable its easier to set the same variable direct after the registration and then redirect to the index.php.
Related
I am building a website that allows user to sign in. I currently have the register & login set up using jQuery -> php(on server) -> db and back, but now I am at lost on how to handle once the user logs in.
For example, if I wanted to call up user's data in member's page, how should I verify that the user is the authentic user? Should I save the id and password as variables/cookies(is it even safe?) and use that to get the user's info in the member's page? Or is there a better way to handle user's data more securely?
I tried looking all over the place but I couldn't find a good place where architecture was explained well so I'm turning to SO for help!
Thanks in advance!
You should check the login status in every page.
During login save the user id in a session variable and use another one simply as a flag namely
$_session['user_id'] = 24; // user id in db
$_session['is_user_logged_in'] = 1; //set a flag
check the value of 2nd session variable in every page
session_start();
if(!isset($_session['is_user_logged_in'] || $_session['is_user_logged_in'] !=1)){
header('location:login.php');
}
I suggest you to write this code in a separate file (login_check.php) and include it in every file
include 'login_check.php'
following this procedure will help you to get login status and id of current logged in user wherever you want.
And in logout page you have to destroy all you session values by using
session_destory();
Abhinav pointed me in the right direction, but just in case someone else stumbles across the same problem, correct starting place is the php session.
http://www.formget.com/login-form-in-php/ - an excellent tutorial on php login with sessions
I have a few links on my page. Most of them will redirect to the homepage if the user is not logged in. Instead of doing that, I want to direct the user to the login page, then direct them to the page they originally wanted to go.
So, for example, if the user is on index.php, and clicks on page10.php without being logged in. S/he should get directed to login.php. After logging in, the website should remember that the user originally wanted to go to page10.php.
How do I do that remembering part? I understand I can use cookies and/or php sessions, but are those the most appropriate ways (in this scenario) of remembering that the user wanted to go to page10.php?
No need to use sessions or get variables, simply access the HTTP_REFERER from the $_SERVER array on your login page, set it to a hidden element in your form then after submission redirect back to that URI
Append desired URL as part of the link. So if a user is not logged in redirect him:
login.php?url=<desired_url>
read the variable on login page, and upon success direct it there instead of index.
To get the URL on the server side look at $_SERVER['REQUEST_URI']
$_SERVER manual
First, redirect to login.php?return=ORIGINAL_URL
In login.php set $_SESSION['return'] = $_GET['return'];.
After a successful login, check if there is a $_SESSION['return'], if there is, and is a valid URL, redirect to it and unset $_SESSION['return'].
That's it.
PS: The reason why you should use session is because the user may not login successfully on the first try. Or may not have an account, he may want to register first. This way he will be redirected to the appropriate page even after creating an account.
Logging a user in implies that you will be using sessions. Sessions usually use a cookie, but they can be implemented by passing a session id around in the request if you don't want to or can't use cookies.
The appropriate way to do this is to use sessions as follows:
1) The authentication check redirects to the login page
2) the login pages checks if the target page is set in the session and if it is not it sets it to the referrer
3) if the login form is valid the target page is removed from the session and the user is redirected to the original page
4) otherwise the form is redisplayed.
I have made a registration form and a login form using PHP.The registration form saves user's information to a database.
But as I am pretty new to PHP I want to achieve this think. I have also made a whole template/theme of an e-commerce website but I want as an entrance page to be this registration form and when I grant them access to be able to see the whole content of my e-commerce website.While i say grant them access when they give me the fields of the registration form,they wont be able to enter the website until I send them a password.So my question is how can i achieve not be able to see the entire website?What I need to do to protect it? i mean I need to add code on the registration form? on the login form or the template/theme?
Thanks!
try using a $_SESSION variable. For example, create a $_SESSION['loggedIN'] variable that is initally false. The page would always verify that variable to allow or deny access to the content.
I'm guessing there is also a log-in form, right?
So, you would only allow acces ($_SESSION['loggedIN']=TRUE) once the log-in form action allows it. Of course there is all the verification and database access process, but that is a simple idea to solve your problem.
You would need to add code at the login page.
The code should handle the follwing:
Create $_SESSION[]
Create $_COOKIE[]
Create some secret way (databse) to know sessions and cookies are not forged.
At the time or page access is restricted to those who are logged in,
Check $_SESSION, $_COOKIE against the secret way (database)
you need to track the registration process, for example track
has been the email sended to user?
when was the email sended to user?
has user confirmed registration?
then set a column value verified=(boolean) to the main users table to check with a query if user is verified
then use sessions to store data after successful login, you need to make simple IFs after session_start() to restrict access or disable view of content.
if(USER_HAS_ROLE){
// display_content
}else{
// don't display content
}
//----------------
if(USER_IS_LOGGED_IN){
// access website
}else{
// redirect to login page
}
One thing that doesn't seem to have been mentioned is that if the session loggedIn variable is false, after the header() redirect, the script should die() in case the user's browser ignores the Location: header.
I've searched on this and I'm still not sure. In asp.net, I can programmatically login a user on the server side...and I'm not talking about a client-side script that fills in the forms automatically when they pull up the site. I can check something server-side and, if true, log them into the site. If false I can redirect to a user name/password form and make them type in the user name and password.
Is it possible to do something similar in PHP?
I have something I would like to do, but it sure would be nice not to waste time on something if it isn't even possible to begin with
Thanks!
-=-=-=
In asp.net the process works like this:
call uservalidate method to see if the credentials are correct
call formsauthentication.setauthcookie to set the authentication cookie
redirect user to predetermined page
e.g.,
Response.Cookies.Remove(FormsAuthentication.FormsCookieName);
FormsAuthentication.SetAuthCookie("username", false);
Response.Redirect("samepage.aspx");
Only on the redirect does the ticket get processed.
Sure it can - you need to read up on PHP Sessions.
You accept the user's credentials via a standard POST request sent from a form.
Take the credentials and check if they match (usually by querying a DB).
If they do, set a session variable to indicate the user has authenticated ($_SESSION['user_is_authenticated'] = true);
Check in your subsequent pages that needs to be secured if the user is authenticated or not - if he's not, redirect to login page: if (!$_SESSION['user_is_authenticated']) header('location:login.php');
I don't know ASP, but you'd simply just set the session in PHP. For example, if your login scripts looks for a user object in the session, you'd just load that user from your datasource and load it into the session. You'd also need to set whatever other flags you might be checking.
This is a common requirement when you want to give admins the ability to login as a user in your site.
I'm directing users to a page on my site from email (possibly an email client). When they reach the site they are presented with login screen and the address where they were headed is lost.
How can I capture the entire address that they were trying to visit, so that I can redirect them to it once they log in?
You need to capture the address as you redirect them to the login page, (ie when you check if they are logged in) I'd recommend storing it in a session. A very quick method would be to redirect to /login.php?from=store.php for example, however this is not the best way as the $_GET['from'] could be hijacked to redirect the user somewhere else, which is why I use $_SESSION to store this value.
First of all, I don't know much about Symfony so I will let you know what I do in PHP.
There are a few techniques I use depending on the app.
Option 1: I send the user to the page they are to log into, e.g. mydomain.com/landing.php and set a SESSION variable with the URL before redirecting to the login form. When the login is performed successfully there is a header function that will redirect to the originating page where the logged in user can now interact with the page.
Option 2: I create a login function and where there is no login SESSION or COOKIE the form is called, upon submitting the form using action="<? echo $_SERVER['PHP_SELF']; ?> I set a POST variable and before any HTML tag is called I have something like
if(isset($_POST['run_login'])) {
include('my_login_handler.php');
}
This takes care of the login activity and doesn't require any redirection to the target page as it is handled inline.
Option 3: Like option 2, I create a login function here there is no login SESSION or COOKIE, but this time I POST the data to my_login_handler.php rather than including it. Upon successful authentication to the site I call header('Location: '.$_SERVER['HTTP_REFERER']); that will redirect to the referring page meaning I don't need to set any special COOKIES or SESSION variables to handle to redirect back to the target page.
The right option, regardless if it is here or not, is going to depend on your application and what you can/need to do. So have a play with the various suggestions and see what works best in the application you're currently working on.
Good luck!